def test_get_sigma_rule(self): """Test getting sigma rule from file""" filepath = "./data/sigma/rules/lnx_susp_zmap.yml" rule = sigma_util.get_sigma_rule(filepath) self.assertIsNotNone(rule) self.assertIn("zmap", rule.get("es_query")) self.assertIn("b793", rule.get("id")) # temp write a file with content with open("./data/sigma/rules/temporary.yml", "w+", encoding='utf-8') as f: f.write(SIGMA_MOCK_RULE_TEST4) self.assertNotEqual(0, os.stat(f.name).st_size) self.assertIsNotNone(f) rule_by_file = sigma_util.get_sigma_rule(f.name) # Test that rule from file equals rule from text rule_by_text = sigma_util.get_sigma_rule_by_text(SIGMA_MOCK_RULE_TEST4) self.assertEqual(rule_by_file.get('id'), rule_by_text.get('id')) self.assertEqual(rule_by_file.get('es_query'), rule_by_text.get('es_query')) # clean up os.remove(f.name)
def post(self): """Handles POST request to the resource. Returns: JSON sigma rule """ form = request.json if not form: form = request.data content = form.get('content') if not content: return abort(HTTP_STATUS_CODE_BAD_REQUEST, 'Missing values from the request.') try: sigma_rule = ts_sigma_lib.get_sigma_rule_by_text(content) except ValueError: logger.error('Sigma Parsing error with the user provided rule', exc_info=True) abort(HTTP_STATUS_CODE_BAD_REQUEST, 'Error unable to parse the provided Sigma rule') except NotImplementedError as exception: logger.error( 'Sigma Parsing error: Feature in the rule provided ' ' is not implemented in this backend', exc_info=True) abort(HTTP_STATUS_CODE_BAD_REQUEST, 'Error generating rule {0!s}'.format(exception)) except sigma_exceptions.SigmaParseError as exception: logger.error('Sigma Parsing error: unknown error', exc_info=True) abort( HTTP_STATUS_CODE_BAD_REQUEST, 'Sigma parsing error generating rule with error: {0!s}'. format(exception)) except yaml.parser.ParserError as exception: logger.error( 'Sigma Parsing error: an invalid yml file has been provided', exc_info=True) abort( HTTP_STATUS_CODE_BAD_REQUEST, 'Sigma parsing error: invalid yaml provided {0!s}'.format( exception)) if sigma_rule is None: abort(HTTP_STATUS_CODE_NOT_FOUND, 'No sigma was parsed') metadata = {'parsed': True} return jsonify({'objects': [sigma_rule], 'meta': metadata})
def test_get_rule_by_text(self): """Test getting sigma rule by text.""" rule = sigma_util.get_sigma_rule_by_text(MOCK_SIGMA_RULE) self.assertIsNotNone(MOCK_SIGMA_RULE) self.assertIsNotNone(rule) self.assertIn('zmap', rule.get('es_query')) self.assertIn('b793', rule.get('id')) self.assertRaises(sigma_exceptions.SigmaParseError, sigma_util.get_sigma_rule_by_text, MOCK_SIGMA_RULE_ERROR1)
def test_get_rule_by_text(self): """Test getting sigma rule by text.""" rule = sigma_util.get_sigma_rule_by_text(SIGMA_MOCK_RULE_TEST4) self.assertIsNotNone(SIGMA_MOCK_RULE_TEST4) self.assertIsNotNone(rule) self.assertEqual( '(data_type:"windows:evtx:record" AND source_name:("Microsoft-Windows-Security-Auditing" OR "Microsoft-Windows-Eventlog") AND event_identifier:"4624" AND xml_string:"\\\\WmiPrvSE.exe")', # pylint: disable=line-too-long rule.get("es_query"), ) rule = sigma_util.get_sigma_rule_by_text(SIGMA_MOCK_RULE_ENDSWITH) self.assertIsNotNone(SIGMA_MOCK_RULE_ENDSWITH) self.assertIsNotNone(rule) rule = sigma_util.get_sigma_rule_by_text(MOCK_SIGMA_RULE) self.assertIsNotNone(MOCK_SIGMA_RULE) self.assertIsNotNone(rule) self.assertIn("zmap", rule.get("es_query")) self.assertEqual( '(data_type:("shell:zsh:history" OR "bash:history:command" OR "apt:history:line" OR "selinux:line") AND "apt-get install zmap")', # pylint: disable=line-too-long rule.get("es_query"), ) self.assertIn("b793", rule.get("id")) with self.assertRaises(sigma_exceptions.SigmaParseError): sigma_util.get_sigma_rule_by_text(MOCK_SIGMA_RULE_ERROR1) self.assertIn("2020/06/26", rule.get("date")) self.assertIsInstance(rule.get("date"), str) rule = sigma_util.get_sigma_rule_by_text(MOCK_SIGMA_RULE_2) self.assertIsNotNone(rule) self.assertEqual( '("Whitespace at" OR " beginning " OR " and extra text ")', rule.get("es_query"), ) rule = sigma_util.get_sigma_rule_by_text(MOCK_SIGMA_RULE_3) self.assertIsNotNone(rule) self.assertEqual( '(data_type:"windows:evtx:record" AND " lorem ")', rule.get("es_query"), ) with self.assertRaises(NotImplementedError): sigma_util.get_sigma_rule_by_text(COUNT_RULE_1) rule = sigma_util.get_sigma_rule_by_text(MOCK_SIGMA_RULE_DATE_ERROR1) self.assertIsNotNone(MOCK_SIGMA_RULE_DATE_ERROR1) # it is actually: 'date': datetime.date(2022, 1, 10) self.assertIsInstance(rule.get("date"), datetime.date) self.assertIsNot("2022-01-10", rule.get("date")) self.assertIn("dd23d2323432", rule.get("modified")) rule = sigma_util.get_sigma_rule_by_text(MOCK_SIGMA_RULE_DOTS) self.assertIsNotNone(MOCK_SIGMA_RULE_DOTS) self.assertIsNotNone(rule) self.assertEqual("67b9a11a-03ae-490a-9156-9be9900aaaaa", rule.get("id")) self.assertEqual( r'("aaa:bbb" OR "ccc\:\:ddd")', rule.get("es_query"), ) rule = sigma_util.get_sigma_rule_by_text( MOCK_SIGMA_RULE_STARTSWITH_ENDSWITH) self.assertIsNotNone(MOCK_SIGMA_RULE_STARTSWITH_ENDSWITH) self.assertIsNotNone(rule) self.assertEqual("5d2c62fe-3cbb-47c3-88e1-88ef73503a9f", rule.get("id")) self.assertIn( 'event_identifier:"10" AND (xml_string:"\\\\foobar.exe" AND xml_string:"10"', # pylint: disable=line-too-long rule.get("es_query"), )